Cyber defender Brandis is proving unfit for purpose

The minister responsible for leading cabinet discussions about Australia's cybersecurity can't even explain a web address. May God have mercy on our souls.
Written by Stilgherrian , Contributor

I used to think that cybergeddon, the much-hyped digital Pearl Harbor, was just hawkish scaremongering. Now I'm not so sure. The evidence that we're in the midst of a cyber cold war is mounting daily — as is the evidence that one of Australia's key defenders isn't fit for purpose.

As industrial control system (ICS) hackers told me two years ago, while the SCADA systems that control everything from power stations and oil refineries to chocolate factories and hotel air conditioning have shockingly bad security, you need to know how the systems are set up. Knowing how to hack controller number 75454 is useless, unless you know what controller 75454 actually does, and how it interacts with the rest of the system.

But since then we've learned a lot about the scale and scope of cyber espionage and weapons development. Stuxnet and Flame, the worms that got so much attention back then, just hint at what must be a massive stockpile of cyber weapons.

Last November, when Kaspersky Lab founder Eugene Kaspersky was on his global cyber scare tour, his comments about the scale of espionage led me to believe that the operating manual for controller 75454 was probably scooped up long ago — along with the address of the kindergarten where the operator's children spend their days, oh so vulnerable.

And just days ago, we learned that a Russian crime gang has stockpiled 1.2 billion usernames and passwords. "The group includes fewer than a dozen men in their 20s," reported The New York Times. So given that, plus what we know via Mr Snowden's work, imagine what a few thousand well-funded military or defence-contractor hackers could get up to. Or rather, have already gotten up to.

I'm guessing that a variety of nation-states have already gathered plenty of SCADA plans and logins, have already conducted plenty of drills, have already calculated how well it'd work given certain levels of failure, and have already turned it all into operating procedures. On a planet whose ape-creatures set up systems for launching thousands of thermonuclear warheads at each other on a few minutes' notice, what's turning off a few power stations or crashing a few oil trains into each other? SCADAgeddon will have been automated.

When the siren sounds, gentlemen, insert your keys and select "Shut down Belgium".

In brief, we're screwed.

Which brings me to the glory that was Wednesday evening's television appearance by Australia's favourite Attorney-General, Senator George Brandis QC. Watch it. His brandisplaining of metadata collection in the context of the proposed mandatory data retention regime is hilarious — web surfing, the "electronic address" of a website, "computer terminals", it's all there.

As ZDNet reported, the interview was such a train wreck that today Brandis ditched keynoting a conference on freedom of speech, one of his favourite subjects, to instead attend a memorial service for the victims of the MH17 attack.

Brandis' quarter-baked explanation of data retention would be a passing amusement, up there with a series of tubes and the spams or scams that come through the portal, except for two things.

One, Brandis is clearly clueless about the basic concepts underlying an important government policy. As I said on ABC Radio's AM this morning, this is about the operation of our intelligence services — something that we do need to get right for our nation's security, yet something that's riddled with subtle human rights and privacy implications.

No-one's asking Brandis to be a systems administrator. But even non-technical internet users of middling intelligence can learn to understand the difference between a URL and an IP address in just a few minutes. Brandis either hasn't bothered or isn't equipped to understand.

If the nation's chief law officer still isn't across the basics of what data would and wouldn't be collected, this many months into the discussions, that's a real cause for concern.

It's also concerning that he doesn't seem to be reading the talking notes being passed around the Liberal party this week. Not only has Brandis taken a different approach to copyright infringement than his Cabinet counterpart, Minister for Communications Malcolm Turnbull, but yesterday saw the attorney-general talking from a different page than his Prime Minister.

Two, Brandis is, as attorney-general, the minister responsible for CERT Australia, the agency which acts as the government's contact point for cyber security issues affecting our critical infrastructure and major Australian businesses. Brandis is therefore responsible for relaying CERT Australia's briefings into federal cabinet, and explaining their policy and political implications to his colleagues.

Given yesterday's TV performance, imagine how well that works.

Back in March, I wrote that when it comes to explaining metadata retention, Brandis is clearly either ignorant or wilfully disingenuous. I think we now know which it is. Despite his stated aim to make national security his focus, Brandis is proving incompetent for that job.

Should SCADAgeddon come, may God have mercy on our souls.

Editorial standards